System and method for remotely securing or recovering a mobile device

ABSTRACT

The present invention provides a system and method for remotely securing, accessing, and managing a mobile device or group of mobile devices. The invention enables a remote access web page to be generated by a server and displayed on a client computer. The server receives requested actions from the client computer and interacts with the mobile device to perform the actions. In the case of a lost or stolen device, the invention enables a user to take actions leading to the recovery or destruction of the device and data stored on it. The invention enables multiple types of remote access, including: locking the device, backing up data from the device, restoring data to the device, locating the device, playing a sound on the device, and wiping data from the device. The invention may be used to provide both self-help and administrator-assisted security for a device or group of devices.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application is related to the following co-pending U.S.patent applications: U.S. patent application Ser. No. 12/255,635,entitled “SECURITY STATUS AND INFORMATION DISPLAY SYSTEM” filed Oct. 21,2008, U.S. application Ser. No. 12/255,632, “SECURE MOBILE PLATFORMSYSTEM” filed Oct. 21, 2008, U.S. application Ser. No. 12/255,626,“SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARE SYSTEM” filedOct. 21, 2008, U.S. patent application Ser. No. 12/255,621, “SYSTEM ANDMETHOD FOR ATTACK AND MALWARE PREVENTION” filed Oct. 21, 2008 and U.S.patent application Ser. No. 12/255,614, “SYSTEM AND METHOD FORMONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS”filed Oct. 21, 2008, which are all hereby incorporated by reference.

FIELD

The present invention relates generally to mobile communications devicesand more specifically to systems and methods for enabling a user oradministrator to remotely secure, control and manage a mobile device orgroup of mobile devices.

BACKGROUND

Mobile devices have evolved beyond simple telephone functionality andare now highly complex multifunctional devices with capabilitiesrivaling those of desktop or laptop computers. In addition to voicecommunications, many mobile devices are capable of text messaging,e-mail communications, internet access, and the ability to runfull-featured application software. Mobile devices can use thesecapabilities to perform online transactions such as banking, stocktrading, payments, and other financial activities. Furthermore, mobiledevices used by an individual, a business, or a government agency oftenstore confidential or private information in forms such as electronicdocuments, text messages, access codes, passwords, account numbers,e-mail addresses, personal communications, phone numbers, and financialinformation.

As the criticality of mobile devices grows, missing devices become anincreasingly severe problem. Currently, when a mobile device is lost, auser may try to locate it by calling the device's phone number; however,unless it is within close proximity to the user, the device will notlikely be found. If the mobile device is not found, the user mustdeactivate the account associated with the missing device and transferit to a new device which is likely purchased at substantial cost to theuser or organization. Any data present on the missing device will belost unless it is backed up or stored somewhere outside of the device.Re-entering lost data such as contact information and device settingsmay entail hours of work. In addition, certain types of informationbeing present on a mobile device may require a business or governmentagency to perform a damaging and costly public breach disclosure.

A malicious person who steals or finds a mobile device may use thedevice itself or the information stored on it for illegitimate purposes.A stolen device may be used to place phone calls, perform financialtransactions, or subject its owner to financial loss in other ways.Furthermore, the confidential or private information on a device may beextracted by an unauthorized individual and used to the detriment of thedevice's owner. In many cases, the loss of government, business, orpersonal data is far more problematic than the replacement cost of themobile device. In the case of government or certain business devices,preventing the data from a lost or stolen device from falling intomalicious hands is of extreme importance to national security.

It is important for users and administrators to be able to remediateproblems associated with lost or stolen devices as quickly and easily aspossible. In organizations that utilize multiple types of mobiledevices, each with separate management systems, dealing with a lost orstolen device may be a complex process. Furthermore, end users typicallymust contact and rely on an administrator in order to secure a missingdevice, often resulting in a period of several days between the time ofloss and when remote security actions are finally initiated. Such adelay significantly increases the risk of financial or information lossassociated with the missing device.

What is needed is a system that allows both users and administrators toobtain remote access to a lost or stolen mobile device in order tosecure the stored data, locate the mobile device, and provide feedbackthat confirms that the desired actions have successfully been executed.For users the system must be able to secure, control, and manage one ormore personal devices and for administrators the system must be able tosecure, control and manage a plurality of devices of multiple devicetypes in order to be effective in an organization that has aheterogeneous mobile device deployment.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a diagram of a mobile device, server and clientcomputer;

FIG. 2 illustrates a flow chart of the remote access processingperformed on the mobile device;

FIG. 3 illustrates a flow chart for conditional commands performed onthe mobile device;

FIG. 4 illustrates a flow chart for communicating with the mobiledevice;

FIG. 5 illustrates an exemplary web page having a GUI with remote accesscontrols for the mobile device;

FIG. 6 illustrates a flow chart for indicating to the mobile device viaa messaging service that the server has remote access commands for thedevice;

FIG. 7 illustrates a flow chart for indicating to the mobile device viaa long-timeout HTTP connection that the server has remote accesscommands for the device;

FIG. 8 illustrates a flow chart for caching responses to a request fromthe device;

FIG. 9 illustrates a flow chart for communicating with a devicemanagement server to perform an action on the device;

FIG. 10 illustrates a flow chart for the server connecting to acomponent to perform an action on the device;

FIG. 11 illustrates a flow chart for a component connecting to theserver to perform an action on the device;

FIG. 12 illustrates a flow chart for the server acting as anintermediary between the device and a device management server;

FIG. 13 illustrates a flow chart for the server interacting with a pushservice to perform an action on the device;

FIG. 14 illustrates a flow chart for interacting with a location serviceto provide the physical location of the device;

FIG. 15 illustrates a flow chart for enforcing data quota on the server;

FIG. 16 illustrates a flow chart for securing remote access commandsperformed on the device;

FIG. 17 illustrates a data viewing web page that can be viewed by thedevice; and

FIG. 18 illustrates a flow chart for transferring data, settings orapplications from a source device to a destination device.

DETAILED DESCRIPTION

It should be appreciated that the present invention can be implementedin numerous ways, including as a process, an apparatus, a system, adevice, a method, or a computer readable medium such as a computerreadable storage medium containing computer readable instructions orcomputer program code, or a computer network wherein computer readableinstructions or computer program code are sent over optical orelectronic communication links. Applications, software programs orcomputer readable instructions may be referred to as components ormodules. Applications may take the form of software executing on ageneral purpose computer or be hardwired or hard coded in hardware.Applications may also be downloaded in whole or in part through the useof a software development kit, framework, or toolkit that enables thecreation and implementation of the present invention. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention.

As used herein, the term “mobile communications device” refers to mobilephones, PDAs and smartphones. The term “mobile communications device”also refers to a class of laptop computers which run an operating systemthat is also used on mobile phones, PDAs, or smartphones. Such laptopcomputers are often designed to operate with a continuous connection toa cellular network or to the internet via a wireless link. The term“mobile communications device” excludes other laptop computers, notebookcomputers, or sub-notebook computers that do not run an operating systemthat is also used on mobile phones, PDAs, and smartphones. Specifically,mobile communications devices include devices for which wirelesscommunications services such as voice, messaging, data, or otherwireless Internet capabilities are a primary function. As used herein, a“mobile communications device” may also be referred to as a “device,”“mobile device,” “mobile client,” or “handset.” However, a person havingskill in the art will appreciate that while the present invention isdisclosed herein as being used on mobile communications devices, thepresent invention may also be used on other computing platforms,including desktop, laptop, notebook, netbook or server computers.

As used herein, the term “client computer” refers to any computer,embedded device, mobile device, or other system that can be used toperform the functionality described as being performed by the clientcomputer. Specifically, client computers include devices which can beused to display a user interface by which the functionality provided bythe server can be utilized by a user. Client computers may be able todisplay a web page, load an application, load a widget, or perform otherdisplay functionality that allows the client computer to reportinformation from the server to the user and to receive input from theuser in order to send requests to the server.

A. System Architecture

With reference to FIG. 1, a block diagram of an embodiment of the mobiledevice 101 is illustrated. The mobile device 101 includes: an operatingsystem 113, an input device 115, a radio frequency transceiver(s) 116, avisual display 125, and a battery or power supply 119. Each of thesecomponents is coupled to a central processing unit (CPU) 103. The deviceoperating system 113 runs on the CPU 103 and enables interaction betweensecurity system application programs and the mobile device hardwarecomponents.

In an embodiment, the mobile device 101 receives data through an RFtransceiver(s) 116 which may be able to communicate via variousnetworks, for example: Bluetooth, local area networks such as WiFi, andcellular networks such as GSM or CDMA.

In an embodiment, a local software component 175 is an applicationprogram that is downloaded to a mobile device and installed so that itintegrates with the operating system 113. Much of the source code forthe local software component 175 can be re-used between various mobiledevice platforms by using a cross-platform software architecture. Insuch a system, the majority of software functionality can be implementedin a cross-platform core module. The cross-platform core can beuniversal allowing it to interface with various mobile device operatingsystems by using a platform-specific module and a platform abstractionmodule that both interact with the mobile device operating system 113,which is described in U.S. patent application Ser. No. 12/255,626,entitled “SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARESYSTEM.” In another embodiment, the local software component 175 can bedevice, platform or operating system specific.

The mobile device 101 accesses a communications network 121 whichpermits access to a server 111. The server 111 may also be accessed by aclient computer 233 via network 121. The network 121 will normally bethe Internet but can also be any other communications network.Alternatively, the mobile device 101 may access the server 111 by adifferent network than the network the client computer 233 accesses theserver 111 with. In an embodiment, the server 111 is provided withserver software 117. The server software 117 on the server 111 providesfunctionality to allow two-way communication between the server 111 andthe mobile device 101, as well as two-way communication between theserver 111 and the client computer 233 also through the network 121. Theserver software 117 on the server 111 enables the client computer 233 toaccess the mobile device 101 and issue commands from the client computer233 to the mobile device 101. The server software 117 also allows forthe mobile device 101 to communicate with the client computer 233 todeliver status information about the mobile device 101 after thecommands from the client computer 233 have been executed or while theyare in progress. Furthermore, the server software 117 allows data, suchas location-related information, pictures, contacts, videos, SMSmessages, call history, event logs, and settings to be transferred fromthe mobile device 101 to the client computer 233 and from the clientcomputer 233 to the mobile device 101. In an embodiment, the serversoftware 117 generates a web page for display on the client computer 233which allows an authorized user to use remote access and configurationcontrols relating to the mobile device 101. In an embodiment, the serveralso includes a database 179 that is used to store backed-up data andother information from the mobile device 101.

Of course, it is understood by those of ordinary skill in the art thatthe functionality performed by server 111 does not necessarily have tobe accomplished on a single hardware device. In this context, the use ofthe term server is intended to refer to one or more computers operatingin cooperation or collaboration to provide the functionality describedherein. The computers may be co-located or in different locations. Thecomputers may inter-operate in such a way that portions of functionalityare provided by separate services that may or may not be operated by thesame entity as other computers which provide other functionality. Forexample, one set of servers may provide data storage functionality whileanother provides all other functionality. The data storage servers maybe operated by a separate company than the servers that provide theother functionality. S3 (simple storage system), from Amazon, Inc. issuch a data storage service which may be utilized by separate set ofcomputers to enable the present invention.

With regard to the client computer 233, in the preferred embodiment, theclient computer accesses the server software 117 on the server 111, anddoes not require that the client computer 233 to possess computerprogram instruction sets for the server software 117 locally. However,in certain embodiments, the client computer 233 can be programmed withsoftware that allows it to remotely control or access a mobile device.

In an embodiment, an application or widget loaded on the client computeris used to present a user interface to the user. The user interface mayprovide some or all of the functionality provided by the web pagedisplayed on the client computer. The application or widget containspresentation logic and communicates with the server via an API. Theapplication or widget sends a request to the server in order to retrieveinformation from the server for display. The server returns theinformation in a structured format such as XML or JSON, so that theapplication or widget is able to display the information in an arbitrarymanner. For example, the information requested by the application orwidget and returned by the server may contain data such as: a list ofdevices accessible by the user, status information relating to a device,or a list of devices in a group managed by the user that are determinedto be lost or stolen. The application or widget may also send a requestto the server to perform actions on a device, change settings relatingto a device, or access any other functionality provided by the server.For example, a widget may show the device and its phone number based ininformation retrieved from the server. The widget may have a buttonwhich allows the user to request for the server to instruct the deviceto play a sound. After the server has instructed the device to play asound and the device has responded that it has started performing theaction, the widget may request for the server to return the status ofthe command. After receiving the response from the server, the widgetdisplays that the sound is currently playing on the device.

The steps for remote access to the mobile device 101 are shown in FIG.2. If the mobile device 101 is lost or stolen, the user can use theclient computer 233 to access the server software 117 running on theserver 111 to remotely access the mobile device 101. Preferably, theserver 111 will only allow the user to perform tasks after he or she hassupplied authorized credentials 251. The server 111 may requireauthentication information such as a user name, password, biometricdata, or other security-related information. If the user is authorized,the server 111 retrieves previously stored information about the mobiledevice 101 for which remote access is sought. The server 111 thengenerates a remote access web page corresponding to the mobile device101 that is accessible by the client computer 233 and includes a userinterface 253 which provides remote access to the mobile device 101.Some of the remote access controls include locating the mobile device101 by providing the location of the mobile device 101 on a map, makingthe mobile device 101 play a sound, backing up the data on the mobiledevice 101, locking or unlocking the mobile device 101, monitoring audioor video near from the mobile device 101, monitoring any actions takenon the mobile device 101, and wiping any memory in the mobile device101.

The client computer 233 can request one or more actions to be performedby the mobile device 255, causing the server 111 to transmit thecommand(s) to the mobile device to perform the selected action(s) 261.In some cases, the mobile device 101 cannot receive commands because itis outside of a communications network coverage area, its batteries aredead, or for various other reasons. In an embodiment, the server 111 candisplay the communications status, including attempted communicationswith the mobile device, on the remote access web page 271. If the mobiledevice is not able to receive or process the command(s), the remoteaccess web page can indicate that communication with the device is beingattempted. The server will continue to attempt to send a given commandto the mobile device until the mobile device successfully completes thecommand, the command is manually cancelled, or the command cancelledthrough some setting established by the server software 117. Once theserver 111 receives acknowledgement from the client that it received thecommand successfully, the remote access web page will indicate that theaction corresponding to the command is in progress.

Any web pages generated by the server software 117 may be updated toshow changes without action by the user by using technology such asJavaScript or Adobe Flash which can connect to the server 111 andretrieve updated information even after a web page is generated. Therequests from client computer 233 to the server 111 may be periodic,occurring on an interval, or have long timeouts in order to allow theserver 111 to respond only when changes have occurred or a timeout hasbeen reached.

It is understood by one with ordinary skill in the art that thefunctionality or information provided by a web page does not necessarilyhave to be accomplished by a single document generated by the server111. For example, a document may be an HTML document. In this context,the use of the term web page is intended to mean one or more documentsthat provide the functionality described herein. The functionality maybe split between multiple documents and grouped by likely use cases. Asingle document may have the ability to change the functionality itpresents to the user using a technology such as JavaScript which canmodify the presentation of and, therefore, the functionality enabled bya document.

When the mobile device 101 receives the command(s) from the server 111,the local software component 175 on the mobile device 101 initiates thecommanded action(s) 261. The local software component 175 then monitorsthe commanded action and prepares reports on the action's status 263.The mobile device 101 continues to check if the commanded action hasbeen completed 265 and, if desired, transmits updated command status 263back to the server 111. The command status is interpreted and updatedinformation may be displayed on the web page 271. In an embodiment, thereports are only prepared when the commanded action has completedsuccessfully or has failed, but not while it is in progress.

In an embodiment, the status report indicates the progress of the mobiledevice's execution of a commanded action. For example, the first statusreport can indicate that the mobile device is beginning to perform thecommanded action. Subsequent reports would then indicate the partialcompletion of the commanded action. The web page 253 accessed by theclient computer 233 can graphically display the progress of the commandand may also provide an estimated completion time. When the mobiledevice has determined that the commanded action has been completed 265,the local software component 175 will send confirmation of the commandedaction's completion and stop preparing reports 267.

If the user requests more than one command, the server 111 can transmitmultiple commands to the mobile device 101 together. The mobile device101 may then perform the commanded actions simultaneously and the nextcommunication with the server 111 can provide the status of all thecommanded actions. Alternatively, the sever 111 may store the commandaction requests and transmit each of the commands sequentially. Theserver 111 will transmit each command to the mobile device after theprior command has been completed. In an embodiment, the server 111transmits all commands to the mobile device 101 together. The device 101processes them in order of transmission, waiting for a given command tobe completed before moving on to the next. The sequence and conditionsfor performing the commands can be configured in any manner.

In some cases, a failure to complete a command will cause the system tostop subsequent commands. For example with reference to FIG. 3, a userwho has lost a mobile device will first want to backup the data storedon the mobile device memory and then wipe all data from the memory afterthe backup is performed. The user can use the remote access web page torequest a backup and secure wipe of all data on the mobile device 301.The server commands the mobile device to back up all stored data 303.The system will monitor the progress of the backup command 305. If thebackup is successful, the mobile device memory will be wiped 311.However, if the backup fails, the system analyzes the command status todetermine if the backup can be completed 307. If the backup can becompleted, the system will continue to monitor the backup progress 305.If the backup cannot be completed, the system can transmit a request tothe remote access web page asking the user if the data should be wipedif the backup cannot be completed 309. The system processing can beperformed by either the remote device or the server. The user can thenchoose to cancel the wipe command 313. If a recent backup does notexist, the user may want to make further attempts to find the mobiledevice before erasing the memory. Alternatively, the user can confirmthe wipe command and the server will command the mobile device to wipeall data from the mobile device 311. This may be an appropriate choiceif the mobile device data was backed up recently and very little datawould be lost. In an embodiment, the server automatically chooseswhether or not to perform the wipe depending on factors including thelast backup time or pre-chosen settings. In an embodiment, the mobiledevice automatically chooses whether or not to perform the wipe. Whileone specific example of conditional command processing has beendescribed, various other commands can be processed in a similar manner.

B. Communications

With reference to FIG. 1, specific communication protocols are usedbetween the server 111 and the local software component 175 on themobile device 101 to facilitate secure communications. In a preferredembodiment, commands can be sent both from the server 111 to the client101 and from the client 101 to the server 111. The connection uses astandardized transport protocol such as HTTP to transmit data in bothdirections. The connection may use a security layer such as TLS(Transport Layer Security) or SSL (Secure Sockets Layer). Because HTTPis composed of request and response pairs, in order to support apersistent connection, multiple request and response pairs are strungtogether. A protocol such as SyncML is used on top of the HTTP layer tostructure the information exchanged between the mobile device 101 andthe server 111 and manage the logical session that is composed of theindividual HTTP request and response pairs. More information aboutSyncML can be found at http://www.openmobilealliance.org. The mobiledevice 101 will initiate a connection whenever it has commands to sendto the server 111 or when the server 111 indicates that it has commandsto send to the device 101. The device 101 continues sending HTTPrequests to which the server 111 responds while either the mobile device101 or server 111 have outstanding commands.

With reference to FIG. 4, when the client computer 233 requests acommand for the mobile device 101 from a web page generated by theserver 111, the client computer transmits the request to the server 401and the server transmits an indication message to the device 402. Theindication message instructs the mobile device 101 to connect to theserver 111. The mobile device 101 responds by connecting to the server403. The server then transmits the commands to the mobile device 404.The device receives the commands and the local software component 175interacts with the operating system 113 to perform the requestedcommands 405. In an embodiment, the local software component 175 alsomonitors the progress of the requested commands and transmits commandprogress reports back to the server 111 that indicate the status of thecommands 406. The server interprets the reports and displays the commandstatus on the web page viewed by the client computer 407.

In an embodiment, one or more commands can be transmitted from theserver 111 to the mobile device 101 in a secure short message service(SMS) protocol. The local software component 175 interprets SMS packetsand verifies that they came from an authorized source. In an embodiment,the protocol uses digital signatures to authoritatively identify thesource of an SMS packet, sometimes called a protocol data unit (PDU). Inan embodiment, the protocol uses an encryption scheme such as public keyencryption to prevent the contents of PDUs from being seen byunauthorized parties. If a PDU is found to be from a trusted source, themobile device 101 performs any requested commands present in the PDU.The local software component 175 monitors the command progress andtransmits the status reports to the server 111 using the secure SMSprotocol. Alternatively, the local software component 175 may report thestatus back to the server using an HTTP based protocol, such as has beendescribed above. In order to overcome the limitations of SMS PDU length,multiple SMS PDUs may be reassembled to transmit large commands.

Of course, it is understood to one of ordinary skill in the art that thedevice 101 and the server 111 may be configured to communicate in waysother than those directly described in this disclosure to perform thefunctionality of the inventive system. Such additional manners ofcommunication include using different transport protocols (e.g. TCPinstead of HTTP), using different structured data formats (e.g. JSONinstead of XML), using different indication mechanisms (e.g. XMPPinstead of SMS), and other changes that do not meaningfully alter thefunctionality or functions provided by the present invention.

1. Indication

In an embodiment with reference to FIG. 6, the server 111 indicates tothe mobile device 101 that there are one or more commands waiting to besent from the server 111 to the device 101 by utilizing a push messagingservice such as SMS. When the server wishes for the mobile device toconnect, it sends an SMS message to the device's phone number with anindication command and an authentication token that is known only to theserver and mobile device 601. The mobile device receives the SMS messageand checks to see if it matches a pre-defined indication command formatand checks for the presence and validity of the authentication token602. If the command is valid and the token matches, the device willexecute the indication command 603. If the message does not match theindication command format, the command is not valid, or theauthentication token does not match, the message is ignored 604. In anembodiment, the indication command contains a priority code which tellsthe mobile device 101 how important any commands waiting to be sent onthe server 111 are. The device decides whether or not to connect to theserver depending on the priority reported by the server and cost of datatransfers for its current connection 605. If the mobile device is out ofits home coverage area and network data transfers are expensive, thedevice does not connect to receive low priority commands 606; however,if the server has a high priority command, such as one corresponding toa wipe request, the device will connect to the server through any meansnecessary without regard to cost 607. While one example of conditionalconnection has been described, the invention can be configured toconnect based on various other criteria. In an embodiment, if the devicedoes not connect to the server, it will wait until its data connectionchanges 608, and then decide if it should connect again 605. In anembodiment, the indication command contains a message identifier whichis used to correlate SMS messages sent by the server 111 with SMSmessages received by the device 101. The message identifier is reportedto the server when a command exchange session using a protocol such asSyncML is started as a result of an indication message. The correlationallows the server 111 to identify non-reception of SMS messages by thedevice 101. Non-reception may be indicative of a network or phoneconfiguration problem. By identifying such problems automatically, theproblems can be corrected before the lack of SMS reception preventsindication messages from being received by the device 101 in the case ofa missing device.

In an embodiment with reference to FIG. 7, the server 111 indicates tothe mobile device 101 that there are one or more commands waiting to besent from the server 111 to the device 101 by utilizing a long-timeoutHTTP connection. The mobile device 101 transmits an HTTP request to theserver 701. The request contains the response timeout, the maximum timethe server may wait before returning a response. The request alsocontains authentication information that identifies the device to theserver. The response timeout can typically range from 1 to 60 minutes.The server checks to see if there are any commands waiting on the serverto be retrieved by the device 702. If there is at least one commandwaiting for the device, the server transmits an HTTP response to thedevice indicating that there is a command waiting to be retrieved 703.When the device receives this message, it connects to the server toretrieve any waiting commands 704. If there are no commands waiting tobe retrieved by the device, rather than responding immediately, theserver waits for a command to become ready to be retrieved by the devicefor up to the maximum timeout specified in the request 705. When thetimeout has been reached or there is a command on the server waiting tobe retrieved by the device, the server decides what type of response toreturn to the device 706. If there is a command waiting to be retrievedby the device, the server will respond to the outstanding HTTP requestbefore the maximum response timeout is reached, telling the device toconnect to the server 703. If the maximum response timeout is reachedwithout the server having a command ready to be retrieved by the device,the server responds and instructs the mobile device to continue waitingwith another long-timeout HTTP request 707. The mobile device will thentransmit a new long-timeout HTTP request to the server 701. Because anHTTP request is always outstanding, a secure persistent connectionexists between the server 111 and the mobile device 101. In order tominimize the impact on the mobile device's battery life and reduce theamount of network traffic, a maximal response timeout is desired. In anembodiment, the mobile device dynamically adjusts the response timeout.After sending a long-timeout HTTP request to the server, the devicewaits up to that maximum timeout for a response from the server 708. Ifthe device does not receive a response within the specified responsetimeout or the device determines that the HTTP connection has beenclosed without it having received a response, the device decreases theresponse timeout for the next request 711. If the device receives aresponse successfully that indicates that there are no commands waitingto be retrieved by the device on the server, the device increases theresponse timeout for the next request 710. In an embodiment, the devicedetermines a maximum timeout by increasing the timeout on subsequentrequests until a request's response is not received successfully. Themaximum timeout is the highest response timeout that completessuccessfully. If a response is received successfully, the timeout is notincreased if the timeout is already maximized 709. Microsoft'sDirectPush is an example of a mobile device long-timeout HTTP requestsystem that automatically adjusts the response timeout based on successor failure of requests.(http://technet.microsoft.com/en-us/library/aa997252.aspx)

In an embodiment, the server uses a messaging service to notify a serverthread that is waiting for a command to be ready to be retrieved by thedevice. Example messaging services include RabbitMQ(http://www.rabbitmq.com/), ActiveMQ (http://activemq.apache.org/),ejabberd (http://www.ejabberd.im/) and other messaging or event systemsthat may be used to notify a server thread about a command being readyto be retrieved. When the server receives a long-timeout request from adevice, the thread processing the request registers with the messagingservice to receive command-ready events for the device. If anotheraction on the server, such as the user requesting an action via theremote access web page causes a command to be queued to be sent to thedevice, the server sends a message via the message service notifying thethread processing the long-timeout request. In an embodiment, threadsprocessing long-timeout requests process multiple requestssimultaneously in an event-driven fashion. An example library used toprovide this functionality is libevent(http://monkey.org/˜provos/libevent/).

In an embodiment, long-timeout HTTP requests and responses used toindicate that the server 111 has commands to send to the device 101 areseparate from the SyncML HTTP requests and responses. In an alternativeembodiment, SyncML HTTP requests use a long timeout to allow the server111 to send commands to the device 101 without relying on a separateindication system. In this embodiment, the server does not respond withan indication that commands are ready to be retrieved by the device.Instead, the device's request is a SyncML request, and the server'sresponse is a SyncML response containing any commands needing to be sentto the device. In a further embodiment, two SyncML sessions between adevice 101 and server 111 can exist. One of the sessions useslong-timeout requests and is dedicated to commands sent from the server111 to the device 101. Because the server holds the HTTP request open, aclient cannot send commands through this session until the serverreturns a response. A second session is dedicated to commands sent fromthe device 101 to the server 111. HTTP requests and responses for thesecond session do not use long timeouts and are only sent when thedevice 101 has commands to send to the server 111.

2. Connection Robustness

If the mobile device 101 cannot connect to the server 111, it willattempt to reconnect and try sending the latest message in the sessionagain. By automatically reconnecting and resuming a session, the mobiledevice 101 can tolerate connection outages, a frequent occurrence onmobile networks. The ability to tolerate network failures without havingto restart a session allows the system to successfully operate onnetworks which would otherwise be unusable for large data transfers. Forexample, if a device is backing up a large file, the file may be brokenup into multiple chunks and sent to the server over multiple requests.

If the device's network connection is interrupted while it istransmitting a request to the server, the software on the devicereconnects to the network and retries the failed request. Because thesession is able to continue, the device does not need to restart sendingthe file to the server and can resume immediately after the lastsuccessfully transmitted chunk. As the session does not depend on agiven network connection, the mobile device can lose its networkconnection, change its IP addresses, or have other connectivity issuesand still resume its session with the server.

In the case where the device's network connection is interrupted whileit is receiving a response from the server, the device will retry therequest associated with the failed response. In an embodiment, theserver will recognize that it has already received the original requestand signal for the device to abort its session, not processing theduplicate message. In an alternative embodiment with reference to FIG.8, the server caches its latest response in the given session so that itmay recover from the device failing to receive a response. The devicesends a request to the server 801. The server checks to see if it hasalready responded to the request in the current session by checking themessage identifier and session identifier of the request against datastored in a database 802. The database contains the last messageidentifier and session identifier the server has responded to. If therequest has the same message identifier and session identifier as isstored in the database, the request has already been responded to. Ifthe server has not responded to the request (i.e. this is the first timethat the client has successfully transmitted this request to theserver), the server processes the request, caches the response, andreturns the response to the device 803. When caching the response, theserver stores the response data, the hash of the request (using analgorithm such as SHA-1), and identifiers such as the session identifierand the message identifier of the request. If the device fails toreceive the response, it will retry sending the request to the server804. After receiving the retried request, the server checks thatrequest's identifiers against the data stored in the database 802.Because the session identifier and message identifier match the lastrequest responded to, this request has already been responded to. Theserver checks to make sure that the retried request is exactly the sameas the request corresponding to the cached response by comparing thehash of the retried request to the hash of the request corresponding tothe cached response 805. If there is no cached response available forthe message identifier and session identifier or if the hash does notmatch, the server returns a response indicating for the session to abort806. The device receives this abort response and attempts to restart thesession 807. If there is a cached response for the request available tothe server, the server returns the cached response to the device 808.The device processes this response and continues the session withoutinterruption 809. In an embodiment, the server expires cached responsesafter a given period of time or upon certain events, such as a devicebecoming disabled or stolen, to prevent stale data from beingtransmitted by the server to the device. In an embodiment, the serverexpires cached data in a least recently used manner. In an embodiment,the server only stores a cached response for the last received requestin an active session. To store the cached data, the server may use anin-memory caching system such as memcached(http://www.danga.com/memcached/).

3. Device Management System Integration

For some devices or some types of device deployments, it is not ideal ornot possible for the server to directly send commands to software on themobile device. In an embodiment with reference to FIG. 9, the server 111communicates with a device management server 900 which has the abilityto perform remote actions on a device 101. Because device managementsystems are often coupled to a specific type of mobile device, thepresent invention is a centralized way to remotely access multiple typesof mobile devices even if each only supports a certain type ofmanagement system. In an exemplary embodiment, the server 111communicates with a device management server 900 using an HTTP API. Whenthe client computer 233 requests for the server to perform a remoteaction on a device 901, the server receives the request from the clientcomputer and sends a request to the device management server for thedevice to perform the action 902. The device management receives therequest from the server and uses its internal method of contacting thedevice and inducing the action 903. The device receives the request fromthe device management server and the device performs the action 904. Thedevice then returns the status of the action to the device managementserver 905. The server may subsequently query the device managementserver for the results of the remote action request 906. The devicemanagement server returns the current status of the remote actionrequest 907.

If a device management server 900 does not have an API that can be usedby the server 111 to perform remote actions, a component 1000 may beinstalled on the device management server 900 to allow communicationwith the server 111. In an embodiment, the inventive system includes thecomponent 1000, sometimes called a plug-in or connecter, that canintegrate with the device management server 900. The component 1000 canbe used to gather information about a device, command actions to beperformed on a device, get status about a previously issued command,enumerate what devices a given device management server manages, andperform other actions desired for operation of the present invention.Depending on various factors such as the security requirements andnetwork architecture pertaining to the device management system, thecomponent 1000 may either connect to the server 111 or be connected toby the server 111. Each action performed on a device must beauthenticated so that only authorized parties can access thefunctionality provided by the component 1000 and only authorizedreceivers can receive commands from the server 111. The authenticationprocess may include sending a shared secret key, a challenge-responsesystem, a public-key system, or any other technology that can be usedfor authoritative authentication. The connection may use a public-keysystem such as TLS to provide encryption and authentication. TLS may beused for authentication of both participants in a connection when usedwith client certificates. If TLS is used without a client certificate,only the identity of one party can be asserted. In this case, TLS may becombined with other authentication mechanisms to provide mutualauthentication.

In an exemplary embodiment with reference to FIG. 10, where the server111 connects to the component 1000, the component 1000 exposes its APIby acting as an HTTP server. When the server has an action to perform onthe device managed by the device management server, the server initiatesan HTTP request to the component 1001. To verify the authenticity ofboth parties, TLS is used. The component 1000 supplies a servercertificate and server 111 supplies a client certificate so that bothparties may mutually authenticate. Alternatively, the authenticationprocess can use any of the methods defined above. Once the connection isestablished and mutually authenticated, the server completes its HTTPrequest to the component. The component receives the request 1002 andinteracts with the device management server to perform the action on thedevice 1003. The component returns status as to whether or not it wasable to successfully request that the device management server performthe action on the device 1004. At some point in the future, the serversends another request to the component querying the status of the action1005. The component returns information pertaining to the progress ofthe command such as whether it was successfully completed or not 1006.If the command is still pending, the server periodically continues torequest status from the component.

In an exemplary embodiment with reference to FIG. 11, when the component1000 connects to the server 111, the component exposes its API by actingas an HTTP client and connecting to the server. The component uses aSyncML protocol over HTTP to communicate with the server. Ordinarily,the component keeps a long-timeout HTTP connection open with the server1101. Both the long-timeout HTTP connection and any other HTTPconnections may be encrypted using TLS. The server 111 has a certificatewhich verifies its identity. The component 1000 supplies authenticationcredentials to the server with each HTTP request. The server receivesthe long-timeout HTTP request from the component and waits for there tobe an action to be performed on a device managed by the devicemanagement server 1102. When the server has an action to perform on adevice 101 managed by the device management server 900, the server 111responds to the long-timeout HTTP request with an indication for thecomponent to connect to the server 1103. The component then connects tothe server to start a SyncML session over HTTP 1104. In the SyncMLsession, the server sends a command to the component 1105. The componentreceives the command 1106 and interacts with the device managementserver to perform the action on the device 1107. The component returnsstatus as to whether or not it was able to successfully request that thedevice management server perform the action on the device 1108. Thecomponent sends the command progress to the server until the commandshave completed successfully or failed.

In an embodiment, the server is used to remotely access multipledevices. Because each device may be accessible from a differentmanagement server, the server is able to select which management servera given device corresponds to and send commands to the appropriateserver. The server may choose to send certain commands directly to adevice and other commands to a management server which corresponds tothe device depending on the capabilities of the device, the localsoftware component on the device, and the management server.

For some devices or some types of device deployments, it is not ideal ornot possible to run a local software component on the device 101. In anembodiment with reference to FIG. 12, the server 111 acts as anintermediary between the mobile device 101 and its management server900. Without the inventive system, the mobile device 101 directlyconnects to its device management server 900, such as Microsoft Exchangeor Blackberry Enterprise Server. Because an organization may havemultiple types of mobile devices and thus multiple management servers,it becomes cumbersome for an administrator to help a user with a lost orstolen mobile device. Furthermore, if an organization only uses one typeof management server, and a user loses a mobile device which cannotcommunicate with that type of management server, the device may not beable to be secured. Instead of connecting directly connecting to itsmanagement server, the device connects to the server using itsmanagement protocol 1201. The server receives the management protocoldata and checks to see if there are actions to be performed on thedevice 1202. If the server has actions to perform on the device, theserver uses the device management protocol supported by the device toinduce the device to perform the desired actions 1203. If the serverdoes not have actions to perform on the device, the server proxies thedevice's management protocol data to the device management server 1204.The management server receives the management protocol data, processesit as normal and returns result data to the server 1205. The serverreturns the result data returned by the management server to the device1206. In an exemplary embodiment, the mobile device 101 uses along-timeout HTTP protocol as its device management protocol. When usingthe inventive system with the mobile device 101, the mobile device isconfigured to connect to the server 111 via the device managementprotocol 1201. When there are no actions for the device 1202, the serverproxies the request from the device to the management server 1204. Themanagement server will wait up until the maximum timeout specified inthe request before returning data to the server 1205. The server thenreturns the response from the management server to the device 1206. Ifthe server has an action for the device while the management server iswaiting to return a response, the server will respond to the device'srequest and close its connection with the management server, even thoughthe management server did not return a response. When there are actionsfor the device 1202, the server does not proxy the request and instructsthe device to execute the action 1203. When finished with sending anyactions to the device and receiving any associated status information,the server returns to normal, proxying requests and responses betweenthe device 101 and the management server 900. In an embodiment, there isno device management server 900, and the server 111 acts as a devicemanagement server 900 and does not proxy requests.

4. Push Service Integration

For some devices, it is not possible or not desirable to run software inthe background which is able to receive connection indications from theserver 111 or to connect to the server 111 periodically. Such devicesmay allow the server 111 to request that an indication be pushed to thedevice 101 via a push service 1300 provided by the device'smanufacturer, service provider, or other party. In an embodiment withreference to FIG. 13, the server 111 uses this push service 1300 toindicate for the device 101 to connect to the server 111. The serverfirst sends a request to the push service requesting that an applicationbe launched on the device 1301. The push service sends a request to thedevice instructing the device to perform the requested action 1302. Thedevice receives the request 1303 and launches the application specifiedin the request 1304. Launching the application causes the device toconnect to the server using an HTTP based protocol to send and receivecommands and responses. In an alternative embodiment, the push service1300 allows the server 111 to directly request that actions be performedon the device 101. In an example, the push service 1300 allows theserver 111 to wipe the device 101, play a sound on the device 101, andlock the device 101 directly through the push service 1300 withoutrequiring software on the device 101 to connect to the server 111 toreceive commands after receiving an indication. The device sends arequest to the push service for the device to perform an action 1301.The push service sends the request to the device 1302. The devicereceives the request 1303 and performs the action 1304. After the deviceperforms the requested action, the device reports the status of theaction to the push service 1305. The server connects to the push service1300 to receive the status of the requested actions. Alternatively, thepush service 1300 connects to the server 111 to inform it of the statusof the requested actions.

For actions indicated by a push service 1300 which report small amountsof data back to the server 111, such as retrieving location-relatedinformation from the device 101, it may be desirable to use an HTTPrequest/response API instead of a persistent session protocol such asSyncML layered on top of HTTP. In an embodiment, the push serviceinstructs the device to perform an action such as gatheringlocation-related information 1302. After receiving the request 1303 andgathering the location-related information, the device connects to theserver using HTTP and posts the location-related information along withauthentication information to the server in a structured data formatsuch as XML or JSON 1304.

C. User Interface and Functionality

With reference to FIG. 5, an exemplary mobile device remote access webpage is illustrated. The web page provides general management andassistance functionality. The user may click Account 510 to view orchange their account details, Feedback 511 to comment on thefunctionality of the system, Help 512 to get assistance with thefunctionality provided by the system, and Logout 513 to log the user outof the system. The currently logged-in user is identified on the webpage 581. A currently selected device is identified by its phone number520 and name 522. The identity of the selected device is graphicallyillustrated by a picture of the device if the server can identify themodel of the device 521. The status of the currently selected device isalso indicated 524. In this example, the status 524 informs the userthat “Everything is OK”. If there were a security or other problem withthe device, the status 524 would indicate the severity of the problem.The currently selected device may be changed by pressing the changedevice button 523 and selecting a different device. The change devicebutton 523, when clicked, shows a dialog with some or all of the devicesaccessible by the user. When the user selects one, that device becomesthe currently active device.

The web page provides several tabs each displaying different informationand controls relating to the currently selected device. The primaryremote access controls for recovering and securing a lost or stolendevice are on the “Missing Device” tab 503 of the web page. The user canutilize functionality provided by the present invention by clicking onother tabs which include “Dashboard” 501, “My Data” 502, “Restore” 504,and “Settings” 505 . For example, clicking “Dashboard” 501, allows theuser to view an overview of the security and status of the currentlyselected device. Clicking “My Data” 502 allows the user to view thedevice's backed up data which may include types such as: pictures,videos, documents, audio, call history, SMS messages, contacts, webfavorites, settings, programs, and other data. Clicking “Restore” 504allows the user to restore data backed up from the currently selecteddevice to that device or another device. “Settings 505” allows the userto view and change settings associated with the currently selecteddevice. For example, the user may set the frequency and schedule ofbackups, the types of data backed up, and the connection preferencesassociated with backups. Connection preferences may include only backingup while connected to the server via Wi-Fi or a cellular network wherethe device is not “roaming”. Various other settings can be made throughthe system, including settings for Anti-Virus, Attack-Protection,Firewall, and other functionality relating to the currently selecteddevice.

In this example, the missing device web page contains one view 582. Theweb page can also be configured to contain multiple views. For example,the functionality provided by the present invention may be split intomultiple views that are accessed by separate documents requested fromthe server or dynamically displayed elements in a document. Thus, thedisplayed web page is intended to represent various different possibledynamic displays and not be limited to a static web page display. In anembodiment, when the user clicks on an element in a web page whichrepresents selecting a new view, the client computer requests a documentfrom the server to dynamically change appropriate elements on the pageto display the new view being selected. In an alternative embodiment,when the user clicks on an element in a web page which representsselecting a new view, the client updates the visual display of the pagewith data already loaded by the client computer. In an alternativeembodiment, when the user clicks on an element in a web page whichrepresents selecting a new view, the client requests a document from theserver to load an entirely new page on the client computer.

In this example, the user selected the “Missing Device” tab 503. The webpage displays suggestions for finding and securing the phone based uponthe circumstances in which the phone was lost 580. The user can selectany of the desired remote access commands including: locate the device540, play a sound from the device 541, lock the device 542, wipe thedevice 543, and backup the device 544. This listing of commands isexemplary only, and is not intended to recite all commands that are thesubject of the present invention. The user clicks buttons correspondingto the desired actions which causes the action to be performed. Uponclicking a button corresponding to an action, the web page may display adialog box which requires the user to confirm the action or supplyadditional information. The dialog box allows the inventive system toprevent accidental actions which could be harmful if done unnecessarily.In this example, some actions have additional options which may beconfigured by the user. Locate, for example, allows the user to selectfor how many minutes to locate the device 550. After the server beginsattempting to perform the action, its status is displayed. If the devicehas not yet started the action, it may be cancelled 570. While an actionis being performed, the web page may disable the button corresponding tothat action until the action is finished.

1. Location

The web page also includes a map 530 that shows the physical location ofthe mobile device. In an embodiment, the mobile device obtainslocation-related information and transmits this information back to theserver which displays the mobile device location on the map 530. Thelocation-related information can be data from a GPS receiver on themobile device or any other type of location detection mechanism,including but not limited to Wi-Fi access point signal information,cell-tower signal information, and other radio signal information. Themobile device location is indicated as an icon 532 on the map 530. Thelocation action may be initiated manually from the remote access webpage or automatically by the device or server.

To locate the device, the user clicks on the “Locate” button 540 torequest current location-related information from the mobile device. Thelocate command can be terminated by clicking on the cancel button 572.After receiving the location request, the server transmits a command tothe mobile device requesting location-related information. The mobiledevice receives the location-related information command, obtains thelocation-related information and transmits the location-relatedinformation back to the server. While the device is obtaininglocation-related information, it may report its progress to the server.The location-related information may include the physical location ofthe device or data that must be further processed to obtain the physicallocation. The location-related information may also include accuracyinformation regarding the physical location or other data reported tothe server. The web page displays the status of the mobile devicelocation detection 561. The web page indicates that the system is“locating.” The location status will be reported or displayed as“locating” while the location information is being reported by thedevice, “location unknown” when the location retrieval fails, or “donelocating” when the location has finished. If the device reports accuracyinformation, the map has a zone of confidence 533 around the estimatedlocation to inform the user of the region the device is expected to bewithin. Such a zone may be represented as a circle around the estimatedlocation. The server may also display multiple locations transmitted bythe device to show the movement of the device over a period of time. Themultiple locations displayed on the map may show the time the device wasat the location and/or display a line connecting the location points inchronological order. In an embodiment, the server can send a command tothe device for the device to report location-related information to theserver for a period of time. The user may specify the duration of thelocation on the remote access web page 550. During the time period ofthe location request, the device periodically sends updatedlocation-related information to the server. To protect user privacy,location information sent by the device and stored on the server may bediscarded after a period of time.

The user can use pan, zoom in and zoom out controls 531 to alter thescale and boundaries of the map 530 to display the mobile device icon532 in the desired manner on the map 530. For example, the user can usethe display commands 531 to zoom in on the map 530 so that the user canmore easily identify the streets and addresses in the proximity of themobile device. The location information can be useful in determining ifthe mobile device is lost or stolen. In an embodiment, the user mayinput addresses or coordinates of locations known to the user such asthe user's home, office, or known areas associated with the user such asschools and houses of friends and relatives. A location can be definedby recording the coordinates through the mobile device or by enteringthe location manually. A location's area can be defined by specifying aradius around a given location's coordinates. The system may identifythese locations on the map 530 and if the mobile device is detected tobe within any known location areas, the system may identify the locationby name. If the system detects that the mobile device is located in anarea unknown to the user this information may suggest that the mobiledevice is stolen and data on the mobile device may be at risk.

It may be desirable to automatically change the security policy of adevice depending on its location or send a notification if the deviceenters or leaves a given area. This functionality may reduce risk bysetting a lenient security policy while at an office environment and astrict security policy while outside of the office. Additionally, thisfunctionality may help proactively identify lost or stolen devicesbefore the device is reported missing by its user. In an embodiment, thedevice periodically sends location-related information to the server.The server processes the information and compares the device's locationto a set of location areas pertaining to the device. If the device is ina location area that pertains to a specific security policy, the serversends a command for the device to change its security policy. If theserver is configured to notify the user if the device leaves a givenlocation area, the server will send an email notification describing thedevice having left the given location area. If the server is configuredto notify the user if the device enters a given location area, theserver will send an email notification describing the device havingentered a given location area. If the device's location is not knownwith extreme accuracy, the device's presence or absence in a givenlocation area may be determined by the probability of a device being ina given area given its current location and the uncertainty of thatlocation. In an alternative embodiment, the device's comparison of itscurrent location to known locations for purposes of notifications policychanges, or other actions may be performed on the device. In this casethe server may also be notified of any location-related changes ornotifications.

If a device is lost, it is a significant problem if its battery runs outbefore one or more remote actions have been performed to secure orrecover the device. In an embodiment, the device automatically sends itscurrent location-related information to the server when the device'sbattery is low. If the user later decides to attempt to locate thephone, but the battery has run out, the server displays the last knownlocation on the remote access web page. In an embodiment, the deviceautomatically sends its current location-related information to theserver on a periodic basis. The user may configure the time interval bywhich the device transmits location-related information to the server.If the user decides to locate the phone, but the device is unable tocommunicate with the server for any reason, the server displays the lastknown location on the remote access web page.

If there are multiple types of location systems available on a device,it may be desirable to wait for a more accurate system such as GPS orWi-Fi to return location-related information instead of returning thefirst available, yet usually less accurate, cell-tower location-relatedinformation. It is also desirable, however, to have a location quickly,even if it is less accurate than one that may take more time. Theprocessing of information from these various location systems isdescribed below. In an embodiment, the device utilizes multiple systemswhich provide location-related information to get the most accurateinformation available at a given time during the course of a locationrequest. When the device receives a command to locate itself for aperiod of time, it starts one or more available systems which may beable to provide location-related information. During the period of timethat the device has been requested to send location-related informationto the server, the device will periodically send the most recent dataavailable from one or more location information systems. In an example,the server requests for a device which has GPS and a mobile networkradio to send location information for 5 minutes. When the device firstreceives the command, it attempts to use GPS and the device's mobilenetwork radio to retrieve location-related information. Because GPS hasto acquire satellite signals, it may take several minutes before anaccurate location is available. The device's first report to the servercontains only cell-tower location-related information. If, before thenext report is sent to the server, GPS has acquired a fix, the devicewill send both GPS and cell-tower information to the server. The devicewill continue periodically sending reports containing availablelocation-related information until the location time period is finished.

While GPS is often the most accurate location system, there are varioussituations, such as when the device is indoors or in an urban area, whenGPS cannot obtain an accurate fix. Other location systems are desirablewhen GPS is not available or is waiting to acquire a fix. Becausewireless infrastructure stations such as Wi-Fi access points andcellular network towers transmit identifiers that are usually globallyunique, the identifiers and associated signal characteristics detectedby the mobile device can be used to estimate the location of the device.In an embodiment, when the server requests that software on the devicegathers location-related information, the software on the deviceretrieves identification and signal information for nearby Wi-Fi accesspoints and cellular network towers and their associated signalcharacteristics detected by the mobile device. For each Wi-Fi accesspoint, the device reports the access point's BSSID to identify theaccess point and the device's received signal strength for that accesspoint to characterize the signal. For a nearby cell-tower, the devicereports different information depending on the cellular network type.For example, in GSM-based networks, the device may report a cell tower'smobile country code (MCC), mobile network code (MNC), location area code(LAC), and cell id (CID) to identify the tower along with the timingadvance and signal strength to characterize the device's connection withthat tower. For example, in CDMA-based networks, the device may report acell tower's mobile country code (MCC), system ID (SID), network ID(NID), and billing ID (BID) to identify the tower along with the signalstrength to characterize the device's connection to the tower. For CDMA,GSM, and other networks, there may also be additional parameters such asthe absolute signal level, the signal level relative to noise, and thebit error rate reported depending on the software and hardware presenton the device. If information regarding multiple cellular network towersis available, the device may report information for each cell tower tothe server for increased accuracy.

If the device has a built-in location mechanism, such as one provided bythe network operator, device manufacturer, or other party, the softwareon the device may use the built-in location mechanism alone or inconjunction with other location systems. In an embodiment, when thesoftware on the device receives a command from the server to reportlocation-related information, the device initiates a request to thebuilt-in location mechanism to retrieve the device's location. When thebuilt-in location mechanism returns a location, the software on themobile device reports it to the server. While the built-in locationmechanism is determining the device's location, the software on thedevice may use GPS, Wi-Fi, or cell-tower location systems as well inorder to maximize the speed and accuracy of location-relatedinformation.

In the case of GPS or the device's built-in location mechanism, thedevice 101 directly reports the physical location and associated data tothe server 111. In the case of Wi-Fi, cell-tower, or other similarlocation systems, the device 101 reports information to the server 111which must be processed to determine the physical location of thedevice. In an embodiment with reference to FIG. 14, the server 111utilizes an external location service 1400 which is accessible via anHTTP API to estimate the device's location based on one or more locationsystems. When the device reports location-related information to theserver 1401, the server stores the information in a database 1402. Thenext time the client computer 233 requests to display the locationreported by the device 1403, the server contacts the external serviceusing its HTTP API and transmits some or all of the location-relatedinformation provided by the device 1404. In order to transmit thisinformation, the server may need to process the information andtransform it into a format compatible with the external service API.When the external service returns the physical location of the device1405, the server saves it in a database and returns the location to theclient computer for display on the web page 1406. Because the physicallocation output by the external service is stored in the database, thenext time the client computer requests that location from the server1407 and the device has not reported any new location-relatedinformation, the server returns the location from the database 1408 anddoes not need to request the same location multiple times from theexternal service. If the third party service returns simply locationcoordinates, the remote access web page displays the estimated locationon a map. If the service also returns an interval of confidence, theserver stores the interval of confidence, and the remote access web pagedisplays a confidence region on the map. If the service returns anaddress or description of the estimated device location, the serverstores this data, and the remote access web page also displays thatinformation.

In addition to or instead of using an external service to determine thephysical location of the device from location-related information thatdoes not directly specify the device's physical location, the server mayuse various systems to estimate the physical location of a device. Thesesystems may require a database of known location information relating toWi-Fi access points and cell-towers. The database can include locationsof cell-towers and associated identifiers, locations of Wi-Fi accesspoints and associated identifiers, cellular network signalcharacteristics at known physical locations, and other similarinformation. In an embodiment, the database is used to prepare or traina fuzzy system, neural network, or other system which may be used toestimate the location of a device. When the server needs to determinethe location of the device, the system is already prepared and requiresminimal computational power to estimate the device's location. In anadditional embodiment, the server may estimate the device's locationbased on its proximity, as determined by signal strength or other signalcharacteristics, to one or more items in the database with knownlocations. In an embodiment, when the device sends location-relatedinformation to the server, the server sends a portion of the databasecorresponding to an area around the device's current location to themobile device. The device can perform location processing without havingto communicate with the server while it is in the area corresponding tothe selection of the database. When the device moves out of the area, itcan request a selection of the database corresponding to the new areafrom the server.

Mobile device location is an important part of the present invention.Providing the owner of the lost or stolen mobile device with accuratedata about its location allows the owner to make careful decisions aboutthe actions to take with respect to the mobile device security. Somesuitable geo-location capabilities that can be used with the presentinvention are the services provided by Loopt, Inc.; Skyhook Wireless,Inc.; Mexens Intellectual Property Holding, LLC; and Google, Inc. MexensIntellectual Property Holding, LLC holds U.S. Pat. No. 7,397,434 andTrue Position, Inc. of Berwyn, Pa. also has a substantial portfolio ofissued U.S. patents, of which U.S. Pat. No. 7,023,383 is exemplary, bothof which describe and claim a variety of non-GPS based mobile devicegeo-location techniques.

2.Sound

If the user loses the device and believes it to be nearby, the devicecan be instructed to emit a loud sound 541. Because many users keeptheir mobile devices in vibrate-only or silent ringer modes, simplycalling the device's phone number is not a practical way to find anearby missing phone. In an embodiment, upon receiving a command tostart playing a sound, the local software component on the mobile devicewill turn the device's speaker to maximum volume and start playing therequested sound. The mobile device can be configured to stop the loudsound after a predetermined period of time or when the user presses abutton on the mobile device. The remote access component on the mobiledevice can interpret the button actuation as the device being found.

If the user wishes for the device to play a specific sound, the presentinvention allows the user to choose or record a custom sound which willbe played on the mobile device. In an embodiment, the remote access webpage allows the user to select a file on his or her local computer toupload to the server. The server re-encodes the uploaded sound into aformat which can be played on the mobile device if it is uploaded in aformat which is not ideal to be played on the mobile device. In anembodiment, the server allows the user to record a sound on his or hercomputer to be played on the mobile device. Using a browser add-on suchas Adobe Flash, a recording application can be embedded into the remoteaccess web page which allows sound to be recorded and sent to theserver. After recording a sound, the user may give the sound a name sothat it is identifiable in the future. The server may store soundsuploaded or recorded by the user so that the user can have the deviceplay his or her previously uploaded sounds in the future. The user isgiven a choice of sounds to play on the mobile device which may includedefault sounds as well as any uploaded or recorded sounds that belong tothe user 55 1. If the user selects a default sound that is alreadystored on the device, the server sends a command to play that sound tothe device. If the user selects a custom sound or other sound that isnot on the device, the server sends a command to play the sound alongwith the data for the custom sound. In an embodiment, the web pageallows the user to control if the sound is played in a loop, and if sofor how many times or for how long to loop for 552.

3. Lock

If the user believes that the mobile device is not within audible rangeand wants to recover it without wiping the onboard data, a lock command542 may be issued to the device. The lock command 542 deactivates thecontrols of the mobile device but leaves the stored data intact. In thelocked state, functional control based upon the input keys is eliminatedexcept for the ability to make calls to emergency numbers or to enter apassword to unlock the device. The mobile device cannot be used to makephone calls (except for calls to emergency numbers), transmit textmessages, display information, play media, or perform any other normalmobile device functionality. Because the locked mobile device may not bevaluable or useful, a thief or unauthorized user may abandon the mobiledevice. If the mobile device is retrieved by the owner, the remoteaccess web page can be used to unlock the mobile device to restore thenormal functionality. In this embodiment, the user may use the remoteaccess web page to unlock the device 571. The mobile device may alsoallow the entry of authentication information such as a password toallow the user to unlock the device without requiring access to theremote access web page. In an embodiment, the remote access web pageallows the user to select a password which is required to unlock thedevice when initiating the lock command 553. The password on the remoteaccess web page may be initially populated with a default value.

In an embodiment, the mobile device is configured to display informationsuch as how to contact the owner when the local software component locksthe mobile device. The information displayed on the device may includean email address, phone number, or mailing address. Alternatively or inaddition, the remote access component on the device may have a method bywhich someone who finds the missing device can easily call a pre-definedphone number to reach the owner of the device or a recovery service.

4. Backup and Restore

The backup data command 544 causes the mobile device 101 to transmitsome or all of its stored data to the server 111 where it is securelystored in a mobile device backup database. The stored data may includedocuments, pictures, call history, text messages, videos, audio, notes,internet favorites, contacts, calendar appointments, to do list items,applications, settings, credentials, and other data that may be storedon a mobile device. The stored data may be stored on the device'sinternal memory, a SIM card attached to the device, a removable ornon-removable storage card, or any other storage system associated withthe mobile device. The backup data stored on the server can be restoredback to the mobile device if it is recovered or alternatively restoredto a new replacement mobile device if the lost mobile device is notrecovered. In an embodiment, the backup system can be set to performregular backups at set time intervals. Because only some of the storeddata may change or be added between each backup, the system may onlytransfer new data or data that has been changed since the last backupwas performed. In an embodiment, the local software component 175 on themobile device tracks the data that has previously been backed up to theserver in a database which is stored on the device. When the backup isrequested, the local software component compares information in thedatabase to data stored on the device to determine what changes need tobe reported to the server. In an embodiment, the local softwarecomponent 175 reports the current state of all the data on the mobiledevice to the server. The server software 117 compares this report tothe current data stored on the server and notifies the device which dataneeds to be backed up to the server. By only backing up data that haschanged since the previous backup, the system reduces the amount of timeand energy required to perform incremental backups. Because a lostmobile device may have only a limited amount of energy available fromits battery, it is beneficial to minimize the impact of performing abackup.

To enable the recovery of data that was deleted or overwritten on thedevice, the server stores past versions of data that are not present onthe device. In an embodiment, when the device informs the server thatdata has been deleted on the device, the server marks the backed up datain the server's database as deleted, but does not remove the data. Whenthe device informs the server that data has been updated or otherwisechanged on the device, the server marks the previous version of the datain the database as changed and adds the latest version of the data tothe database. In order to efficiently handle multiple versions of data,the backup database on the server stores meta-data relating to the databacked up from the user's device. The meta-data includes the time whenthe data was first present on the device or was first sent from thedevice to the server. The meta-data also includes the time when the datawas removed or replaced on the device or the time when the replaced datawas sent to the server. The combination of the two times allows theserver to be able to query the database to determine what data wasactive on the device at any given time. Any data that the device has notreported as deleted or modified has a started time but no ended time.Data that has been replaced or changed has an associated identifierwhich can be used to find the next version of that data. In anembodiment with reference to FIG. 17, a data viewing web page generatedby the server 111 allows the user to view the data on the device at agiven point in time. The data viewing web page visually displays datafrom the currently selected time period 1701. Individual data items areeach represented visually on the web page. The data viewing web page hasa user interface control such as a slider or calendar which allows theuser to select a date or specific time from which to display the backedup data. The bounds of the time the user interface control is able toselect are set to the earliest and latest data present on the currentlyselected device 1702. When the user changes the user interface controlto select a given time 1703, the data viewing web page changes either byreloading or by updating itself by using a technology such as JavaScriptor Adobe Flash. The time displayed on the page changes to represent thecurrently selected slider date 1704. The data viewing web page may allowthe user to view a timeline showing when data has been changed, added,or deleted from the device. Changes to data may appear as events on thetimeline. The events on the timeline may be shown as a visualrepresentation of the data being changed, added, or deleted. In anexample, the visual representation includes a thumbnail icon of the databeing changed, added, or deleted. The data viewing web page may allowthe user to select a specific data item and view previous versions ofthat data item. The previous versions may be displayed as a list witheach item representing a previous version of the data item. Eachprevious version may be visually represented with a thumbnail of thedata.

In order to ensure that users back up no more than their allotted amountof data, the server may enforce a quota which determines how much data adevice or set of devices is allowed to store on the server. In anembodiment with reference to FIG. 15, the data storage quota for adevice is defined in terms of total data size and number of data itemsstored. The device's quota has a soft and hard limit, the soft limitsmaller than the hard limit. A quota is considered reached if either thetotal data size or number of data items stored exceeds a thresholdspecified for either value. When the device sends backup data to theserver 1501, the server checks to see if the device has reached its hardlimit of data storage on the server 1502. If the device has more activedata being backed up than the server has allocated to the device'shard-limit quota, the server will deny requests to back up the data1503. In an embodiment, the server sends an email, informing the userthat some data from the device cannot be backed up 1504. The emailcorresponding to reaching the hard limit contains a link which allowsthe user to increase the data storage quota allocated to his or herdevice or delete data associated with the device. If the device has notreached its hard limit, the server checks to see if the device hasreached its soft limit 1505. If the device has not reached its softlimit, the server stores the data 1507. If the device has reached itssoft limit, the server sends an email informing the user that thedevice's quota has been reached 1506 and stores the data 1507. The emailcorresponding to reaching the soft limit contains a clickable link tothe server which allows the user to increase the data storage quotaallocated to the device or delete data associated with the device tobring the device under the soft limit. The email informs the user thatthe server will automatically remove old data that is not active on thedevice to make sure that new data can be backed up from the device. Ifthe user does not perform actions to bring the device's data under thequota soft limit after a period of time, the server will automaticallyremove old data to bring the device's data under the quota limit. Thisremoval process only removes data that has been updated or deleted. Datathat is currently present on the device (i.e. active data) will not beremoved. The email may show some or all of the data items that will belost if the user does not bring the device's data under the soft limitbefore the server begins removing data.

Once the device has backed up data to the server, the server may allowthe user to restore some or all of the data that has been backed up to anew device or to the device from which the data originated. When data isrestored to a device, the data is sent from the server to the device,with instructions for the device to store the data. In an embodiment,the server can generate multiple web page interfaces by which the usercan restore data. In one interface, the user can instruct the server torestore all of the data backed up from one device and active therestoration at a given time to that device or another device. In anotherinterface, the user can instruct the server to restore certaincategories of data backed up from one device and active at a given timeto that device or another device. In a further interface, the user mayview individual pieces of data and select one or more data items backedup from one device to be restored to that device or another device. Thisindividual item restore interface also allows the user to download oneor more items stored in an archive such as a ZIP file. In an embodiment,the individual restore interface is integrated into the data viewing webpage so that data can be restored while it is being viewed. All of therestore interfaces may allow the user to select a specific time or timeperiod from which to restore active data from. Active data at a giventime is data that has been backed up to the server before the given timeand considered to be present on the device as of the given time.

The inventive system may allow the user to restore some or all of thedata backed up from one device to a different device, even if the targetdevice has a different operating system or has other compatibilitydifferences. In an embodiment, when backing up data, the local softwarecomponent on the mobile device transforms data from a device-specificformat into a universal format. For example, devices which run theWindows Mobile operating system store contact information in a specialformat. In an exemplary embodiment, the inventive system transforms thedata for a contact into a standardized universal XML format. If theuniversal XML contact data is restored to a Windows Mobile device, thedata is transformed back into the native Windows Mobile contact format.If the universal XML contact data is restored to another type of devicesuch as one running the Android operating system, the universal XMLcontact data is transformed into the native data format supported bythat device. Although this example illustrates one data type, all dataformats which are not universally supported can be handled by theinventive system. In an embodiment, the server transforms data suppliedby the mobile device into a universal format when the data is backed upor when the data is transferred from one device to a device of adifferent type. In an embodiment, both server-side and device-sidetransformations can be used if the data transformations would bedifficult for a mobile device to perform because of battery, CPU,memory, or other limitations. In an embodiment, transformations areperformed by the server to convert data between a first and a secondnative format when data that has been backed up in the first nativeformat is being transferred to a device which does not support the firstnative format but does support the second native format.

In order to facilitate easy migration from one device to another, theserver may generate a device migration web page which allows the user togo through a process to transfer data, settings, installed applications,and other information from the user's previous device to the user's newdevice. This process may also be used to provision a device from avirtual or physical default device so that organizations may easilystandardize new or existing devices. In an embodiment with reference toFIG. 18, the process presents to the user a series of steps via thedevice migration web page that, when finished, result in some or all ofthe data, settings, or applications from a source device to betransferred to a destination device. First, the server requires that theuser identify the source device from which to transfer 1801. The devicemigration web page contains a list of existing devices associated withthe user's account and gives the user the option of adding a new device.If the user installs software on a new device, the process waits forthat device to backup its information to the server before proceeding.After the source device is identified by the server, the serverpresents, via the device migration web page, an interface for the userto select the destination device 1802. The device migration web pagecontains a list of existing devices associated with the user's accountand gives the user the option of adding a new device. If the userchooses to install software on a new device, the process waits for thenew device to become active on the server before proceeding. Once thesource and destination devices are identified, the server presents tothe user, via the remote access web page, an interface for choosing whatdata, settings, or applications to transfer to the destination device1803. Once the user has chosen what to transfer, the server queuescommands to be sent to the destination device, indicates for thedestination device to connect to the server, and transmits the commandsto the device when the device connects 1805. In an embodiment, data isconverted before it is transmitted to the device 1804. The data may beconverted before the commands are queued or after the commands arequeued but before the data is transmitted to the device. If the devicesrun compatible operating systems or the data is in a universal format,the data may be directly transferred without conversion. If the devicesrun incompatible operating systems, the server may convert the data tomake it compatible with the destination device. In an example, ifapplications are being transferred from the source device to thedestination device and the two devices run incompatible operatingsystems, the application running on the source device would not run onthe destination device. The server may reference a database containingapplication equivalents for different platforms and choose to transfer aversion of the application to the destination device that is compatiblewith the destination device's operating system. If there is not aversion of the application available for the destination device, asuitable substitute may be chosen. During the time while the desiredinformation is being sent to the destination device, the devicemigration web page displays a progress indicator showing the status ofthe transfer process. When the transfer is finished, the server informsthe user, via the device migration web page, that the migration iscomplete and the destination device is ready to use.

5. Wipe

The user can also instruct the mobile device to wipe the data stored onthe mobile device 543. In order to make sure that all of the data on alost device is backed up before it is wiped, the destruction of storeddata may be performed after the mobile device has locked and a backuphas been performed. In order to ensure that the data cannot be recoveredfrom the mobile device, the mobile device may write over the entirememory with meaningless data. In an embodiment, the mobile device writesover the memory multiple times to ensure that no residual traces of dataare left. In addition to the mobile device's onboard memory, there maybe additional components associated with the mobile device which canstore data such as removable or non-removable storage devices andSubscriber Identification Modules (often called SIM cards). On storagecards, some mobile devices can store pictures, documents, applications,and other data. On SIM cards, some mobile devices can store contacts,text messages, applications, and other data. In an embodiment, when themobile device performs a wipe, it erases the data on some or all of theadditional components which can store data. If the mobile device isrecovered, backed up data can be used to restore some or all of the datathat was previously wiped.

6. Other Remote Actions

In an embodiment, the remote access web page allows the user to requestthat the server instruct the device to record audio from its microphone,video from its camera, or both. The recording may be for a defaultperiod of time, the user may specify a time interval to record for, orthe user may specify a periodic recording. After the device recordsaudio and/or video, it sends the audio and/or video data to the server.The remote access web page shows recently recorded data uploaded by thedevice. The remote access web page allows the user to download recordeddata as well as view it directly in the web page. In an embodiment, theuser may use the remote access web page to stream audio and/or videofrom the device. Upon receiving a request to stream audio and/or video,the server sends a command to the device which then begins streaming therequested media to a streaming server using a protocol such as RTP(Real-time Transport Protocol). The mobile device encodes the audioand/or video in a compressed format to minimize the data rate requiredto stream. The remote access web page contains a small application whichutilizes a browser component such as Flash from Adobe to allow the userto view the streaming audio and/or video from the device. The streamingserver may process the video and/or audio from the mobile device inorder to make it compatible with the streaming media displayapplication. In addition, the streaming server may store the streamedaudio and/or video from the device for later retrieval by the user. Theremote access web page may display previously recorded streams fordownload by the user.

In an embodiment, the remote access web page allows the user to requestthat the server instruct the device to take a picture using the device'scamera. In an embodiment, the remote access web page allows the user tospecify that the device should take pictures periodically at a specifiedinterval. After the device takes a picture, it sends it to the server.The server saves the picture and displays the latest pictures on theremote access web page for viewing or download by the user. The remoteaccess web page may display previous pictures so that the user may viewpictures taken by the device over a period of time.

7. Status Reporting

In addition to remote access controls, the remote access web page canprovide status information for the requested commands. As discussed, themobile device transmits reports to the server which indicate the statusof commands sent to it. The local software component on the mobiledevice interprets the commands being sent by the server and reports onthe status of the commands. The reports can include the progress of thecommands, the completion of the commands and other informationpertaining to the mobile device. In an example referencing FIG. 5, theuser selected to locate the device, backup data from the device, lockthe device, and wipe all data from device. The remote access web pageindicates that the server is in contact with the mobile device andcommunications are OK 560. The mobile device has been locked 564 and thesystem is 57% complete in backing up data from the device 562. Thestatus of wiping the device 563 is at 0% because the system is waitingfor the backup to be completed. The user may stop the wipe by pressingthe cancel button 570.

If a device's session with the server is interrupted and not resumedwithin a given amount of time, the remote access web page will indicatethat the communications with the device are lost. The server mayautomatically attempt to indicate to the device to reconnect or allowthe user to request that the server indicate to the device to connect.If the server indicates to the device to reconnect, the remote accessweb page shows the status of attempts to re-establish communications.When communications are re-established, the remote access web page willagain indicate that communications are OK 560 and the remote accesscommands will resume from the point at which communications were broken.

8. Lost/Stolen Device Functionality

When the device is lost or stolen, it may be desirable for the device tohide the presence and prevent removal of software such as the localsoftware component. In an embodiment, the server can issue a commandwhich puts the device into a lost/stolen mode. When the device is inlost/stolen mode, it may hide any user interface components related tothe local software component, prevent removal of the local softwarecomponent, and report the location of the device and actions performedon the device such as phone calls, text messages, web pages visited, andSIM card changes. The remote access web page may display that the deviceis lost/stolen. In a further embodiment, the remote access web pagedisplays the location corresponding to the device's location reports ona map and displays a list of the actions performed on the device sinceit has been in lost/stolen mode. The map may show the location of thedevice over multiple points in time to convey information regardingmovement of the device. In an embodiment, entering lost/stolen modeautomatically triggers the local software component on the mobile deviceto perform certain actions. For example, when in lost/stolen mode, thelocal software component on the device automatically takes a pictureusing the device's camera periodically. Alternatively, when inlost/stolen mode, the local software component on the deviceautomatically records audio and/or video from the device. In each case,the device sends data resulting from the automatically performedaction(s) to the server. The data is displayed on the remote access webpage for view by the user. The remote access web page allows the user toconfigure what actions, if any, should be performed by the device whenit enters lost/stolen mode.

The device may automatically enter lost/stolen mode upon certain events.In an embodiment, the server automatically instructs the local softwarecomponent on the device to go into lost/stolen mode when the userrequests for the server to send a remote access command which isindicative of the device being lost or stolen. Commands such as lock,play sound, locate, wipe, or backup may indicate that the user has lostthe device or that the device was stolen. In a further embodiment, theactions configured to be automatically performed when a device enterslost/stolen mode will only be performed as a result of the userexplicitly commanding the device to enter lost/stolen mode and not as aresult of the device entering lost/stolen mode because the userrequested a command that is indicative of the device being lost orstolen. In an embodiment, if the SIM is changed or removed on the mobiledevice, the device will automatically enter lost/stolen mode and notifythe server of the lost/stolen mode state. In an embodiment, the devicewill automatically enter lost/stolen mode if it is detected to be in alocation area that has been pre-defined by the user to put the deviceinto lost/stolen mode. The location area may be defined by selecting anarea(s) that the device must stay inside of or by selecting an area(s)that the device may not enter. If the device violates this location areaselection requirement, the server automatically puts the device intolost/stolen mode. The user may use the remote access web page to definethe location area(s). In an embodiment, the actions configured to beautomatically performed when the device enters lost/stolen mode willonly occur when the device enters lost/stolen mode as a result ofevents, such as the SIM being replaced or the device entering thepre-defined lost/stolen location area, occurring.

In an embodiment, the user can use the remote access web page tomanually request for the server to instruct the mobile device to turn onlost/stolen mode. When the device is in lost/stolen mode, the user mayuse the remote access web page to request for the server to instruct themobile device to turn off lost/stolen mode. In an embodiment, if thedevice is locked and the user enters valid authentication informationsuch as a password on the device to unlock it, the device willautomatically turn off lost/stolen mode and notify the server of thelost/stolen mode state.

When the device enters lost/stolen mode, the server may notify the useror an administrator via an email or other alert. In an embodiment, theemail sent to the user when the device automatically enters lost/stolenmode has two links, one with text that corresponds to the user stillhaving possession of the device and another with text corresponding tothe user not having possession of the device. If the user follows thelink corresponding to not having possession of the device, the serverdisplays the remote access web page for the user to perform any desiredactions. If the user follows the link corresponding to having possessionof the device, the server turns off lost/stolen mode for the device andinforms the device of the lost/stolen mode state. In an embodiment, theserver sends the email when the device is in lost/stolen mode and theuser has not turned it off after a period of time. In an exemplaryembodiment, when the user locks the device from the remote access webpage, lost/stolen mode is automatically turned on. If the user does notturn off lost/stolen mode, the server emails the user after apredetermined time period such as 1 hour. After receiving the email, theuser may click on the link corresponding to having recovered the deviceor the user may click the link corresponding to not having recovered thedevice. If the device has not been recovered, the user may use theremote access web page to wipe the device and prevent any sensitiveinformation on the device from being used for illegitimate purposes.

In an embodiment, the email sent to the user in the case of a devicebeing in lost/stolen mode includes information about how to contact thephone's service provider to prevent fraudulent use of the phone'sservice. The service provider information may be generated based oninformation provided by the device during the server's previouscommunications with the local software component on the device.

When the device is lost or stolen, the user may need a replacement assoon as possible. If the user is traveling or otherwise unable to obtaina replacement device easily, it is advantageous for the system topresent the user with opportunities to replace the device. In anembodiment, the email sent to the user in the case of the device beingin lost/stolen mode includes offers for the user to purchase areplacement mobile device. In an embodiment, the server generates adevice replacement web page that includes offers for the user topurchase a replacement mobile device. The offers may be selected basedon the user's current mobile device type, the user's country of origin,the user's previous mobile operator, and other information which isavailable to the server. In order to provide the user with the bestpricing, availability, and delivery time, the system interfaces withthird party vendors or the user's mobile operator to determine whatoffers to present to the user. The device replacement web page allowsthe user to filter offers by factors such as phone operating system,presence or absence of a physical keyboard, network type, and networkoperator. In an embodiment, the user provides a location by enteringinformation such as an address, country, or postal code on the devicereplacement web page. The server interfaces with one or more mobiledevice vendors to determine options available for the user to obtain anew device nearby the provided location. The server displays a mapshowing where the user may obtain a replacement device nearby theprovided location and optionally, the pricing and availability ofdifferent replacement devices. In an embodiment, the server displaysestimated or guaranteed delivery times for vendors to deliver areplacement device to the location provided by the user. In anembodiment, the server generates the device replacement web page for auser without an account on the server.

Because both the server software and the local software component canalter the device's state, it is desirable for the local softwarecomponent to be able to report the device's current state to the server.The state of the device includes whether or not it is locked, whether ornot it is in lost/stolen mode, and other state information that may bechanged by the server software or the local software component on thedevice. In an embodiment, the local software component on the devicereports state information to the server periodically or upon certainevents such as session initiation. In an example, if the device islocked because of a command from the server and the user enters apassword directly on the device to unlock it, the server needs to benotified that the device has been unlocked. The next time the deviceconnects to the server, it transmits its state information which updatesthe device's lock state stored on the server.

If the device cannot communicate with the server, it is possible thatthe user has commanded the device to enter lost/stolen mode or toperform a remote action but the device does not receive the command. Inan embodiment, the local software component on the device automaticallylocks the device when the device has been out of network coverage for aperiod of time, the device's SIM is removed or changed, the device hasbeen turned off for a period of time, or upon other events that wouldrender the device unable to receive commands from the server. The deviceis automatically unlocked once communications are re-established withthe server. If the device is locked and trying to communicate with theserver, the user may enter authentication credentials such as a passwordto unlock the device without having connected to the server. Thepassword may be set using a web page generated by the server or via auser interface on the mobile device.

9. Protection from Unauthorized Access

In order to protect user privacy, the inventive system may be configuredso that the local software component 175 on the device 101 only acceptscommands from the server that are accompanied with special remote accessauthentication credentials. In an embodiment with reference to FIG. 16,the server 111 can only generate the remote access authenticationcredentials in a short period of time with information supplied by theuser. The local software component on the device is initially configuredwith its special remote access authentication credentials. Thecredentials themselves are not sent to the server. The device generatesverification information and a “challenge” token and transmits them tothe server 1602. The verification information and “challenge” token arestored by the server 1603. When user-supplied authentication informationis received by the server, the server uses the verification informationto check whether the user-supplied authentication information is correct1604. If the authentication information is correct, the server combinesthe user-supplied authentication information with the “challenge” tokento generate the remote access authentication credentials 1605. If theauthentication information is not correct, the server does not generatethe remote access credentials 1606. When the server has validauthentication credentials, it transmits a command to the device alongwith the valid credentials 1607. The device receives the command andchecks the credential 1608. If the credential is valid, the deviceprocesses the command and returns its results to the server 1609. If thecredential is not valid, the device rejects the command 1610. If thedevice requests that the server change the “challenge” token 1611, theserver will store the new token and discard the old token 1612. Thedevice may request the “challenge” token to be changed periodically orupon certain events to prevent attacks where previously used credentialsare replayed to the device. In a further embodiment, the remote accessauthentication credential is generated using a special remote accesspassword. The user sets the remote access password on the device 1601.When the remote access password is set on the device, the devicegenerates verification information and a “challenge” token and transmitsthem to the server 1602. The verification information includes a randomsalt used for password verification and the result of hashing thepassword with the verification salt. The “challenge” token is a secondrandom salt used to generate the authentication credential and not equalto the first salt. The server stores the verification information andthe “challenge” token 1603. In order for the mobile device to perform anaction, the server must supply the command along with the correctauthentication credential. The correct authentication credential is theresult of hashing the password with the “challenge” salt using analgorithm such as SHA-1. Because the server does not have the originalpassword, it is considered mathematically infeasible for the server togenerate the correct authentication credential without the usersupplying the correct password, so long as the hash function in use isconsidered cryptographically effective. Because the server has theverification salt and the expected output of hashing the password withthe verification salt, the server can verify whether or not a givenpassword entered by the user is correct. When the user requests a remoteaccess command that requires an authentication credential through theremote access web page, the user is asked to supply the remote accesspassword for the device. The user supplies the remote access password tothe server by entering it on the remote access web page and sending thepassword to the server. The server hashes the password with theverification salt and compares it to the expected verification hashresult 1604. If the password is correct, the server hashes the passwordwith the “challenge” salt to build the authentication credential 1605.If the password is incorrect, the server informs the user via the remoteaccess web page 1606. The password is discarded after the authenticationcredential is generated. The server only temporarily stores theauthentication credential while it is sending commands to the device andreceiving status from the device corresponding to the secured remoteaccess commands. After the credential is not needed for specificcommands requested by the user, it is discarded. After any commands arecompleted, the software on the mobile device may send a new “challenge”salt to the server 1611 to prevent the server from using the previousauthentication credential again. After receiving the new “challenge”salt, the server discards the old “challenge” salt 1612. In analternative embodiment, the server supplies the remote access web pagewith the password verification hash, the password verification salt, andthe “challenge” salt so that the remote access web page can generate theauthentication token without sending the remote access password to theserver. When the user enters a password on the remote access web page,software in the web page written in a language such as JavaScript hashesthe password with the verification salt and compares it to the expectedverification hash result to determine whether or not the password iscorrect. If the user enters the correct password, the remote access webpage generates the authentication credential by hashing the passwordwith the “challenge” salt and sends it to the server. The server canthen send the desired remote access command to the device with thecorrect remote access credential.

10. Multiple-Device Management

Although the present invention has been described for access to andcontrol of a single mobile device by a single user, it is also possiblefor the invention to be used for control of a group of mobile devices bya group administrator and/or for control of multiple devices belongingto a single user. Rather than displaying a management interface for asingle mobile device, a group administrator or user with multipledevices can have access to multiple different mobile devicessimultaneously.

In an embodiment, the server generates a multiple-device management webpage which allows policy, security, and configuration settings to bechanged for a group of devices simultaneously. When a user of themulti-device management web page changes settings for the group, theserver sends commands to update the modified settings to each device inthe group. The group may contain devices which have different operatingsystems, hardware capabilities, mobile network types, and othervariations. In a further embodiment, the settings commands sent todevices of different types are the same. The local software component oneach device interprets each settings command and performs any necessarysettings changes appropriate to that device. In an embodiment, theserver only sends commands to a device which are appropriate for thatdevice type.

In an embodiment, the multiple-device management web page allows actionsto be performed remotely on a group of devices simultaneously. When anaction is selected to be performed on a group of devices, the serversends a command to each device present in the group. The multiple-devicemanagement web page shows the status of commands for each device (e.g.“3 commands outstanding for this device”) and a representation of theoverall group's execution status for each command (e.g. “534 of 550devices successfully completed backup”). The web page may show thedevices or number of devices in each stage of command completion (e.g.“Waiting to send command”, “Command sent”, “Command in progress”,“Command finished”, “Command Failed”). For commands that return data tothe server such as a locate command, the web page may show the locationsof each device on a map. In an embodiment, the user of the web page maychoose to only display devices that are in a certain geographic area.The area can be defined by selecting a portion of a map. The area canalso be defined by specifying a radius and selecting a point on a map ortyping the address or name of a location. In an embodiment, locationsspecified by the user of the web page are stored by the server forrepeated use.

In addition to managing a group of devices, an administrator may use theserver to access a single device belonging to an individual user. If thedevice belonging to an individual user is lost or stolen, the user ofthe device can inform the administrator who can then determine thelocation of the device. If the user cannot find the mobile device, theadministrator can assist the user in locking the device, backing up thedata stored on the device, and wiping all data from the device. Theadministrator can then provide the user with a replacement mobile devicewhich has had the user's data restored onto it.

In an embodiment, a mobile device can be accessed both by its user and agroup administrator. The group administrator can determine whatpermissions the user has to manage the device from the server. Forexample, the administrator may specify that users can access theirdevices' backed up data, perform remote actions on their devices, butmay not modify their devices' security, policy, or configurationsettings. In this case, a user can use the server to perform remoteactions on a device without the help of an administrator. By allowingusers to perform remote actions on their mobile devices directly withouthaving to go through an administrator, the inventive system may help anorganization decrease its number of lost devices and secure lost orstolen devices more quickly, thereby minimizing the possibility ofsensitive data being compromised. In an embodiment, the administrator isnotified when a user performs missing-device related actions so that theadministrator can verify that the missing device was either found or putinto a secure state. In an embodiment, multiple sets of managementpermissions can be defined on the server so that the server providesmultiple management interfaces, each specific for differentadministrative roles. In an example, the server is configured so that amobile network administrator is able to change security settings for agroup of devices, an IT administrator is able to modify policy andremotely perform actions on the group, and a user is able to view backedup data from and remotely perform actions only on his or her mobiledevice. In an embodiment, the server can be configured to supportarbitrary permission grouping for individual devices and groups ofdevices so as to support many different organizational orcross-organizational use cases. In an embodiment, a given device can bea member of multiple groups, inheriting settings from each group. Whensettings for a single group are changed, those changes are sent tosoftware on the device. In the case of conflicting setting changes, theserver defines a policy by which conflicts are reconciled. For example,disabling device functionality such as Bluetooth overrides theenablement of that functionality. In a further embodiment, the devicecan have settings defined that override any group settings.

In an embodiment, an administrator can access security statusinformation for a group of mobile devices through a web page generatedby the server. In order to monitor the security status of all the mobiledevices in a group, the mobile devices can be configured to transmitsecurity status and security event information such as being infectedwith a virus or receiving a network-based attack to the server. Theserver then compiles the security information and displays the securitystatus for the group of mobile devices on an administrator's computerthat is in communication with the server. By displaying the securitystatus for all mobile devices in the group, the administrator canquickly identify a mobile device that is compromised. If a virus orother severe security event is detected on a mobile device, theadministrator will be informed and can take defensive actions to isolatethe mobile device to protect other mobile devices and protect the datastored on the compromised mobile device. Additional details of theremote control of the mobile devices are disclosed in co-pending U.S.patent application Ser. No. 12/255,635, “Security Status and InformationDisplay System.”

D. Countering Espionage and Terrorism

Lost and stolen devices are the most prevalent and most serious threatfacing mobile device deployments today. As government and commercialentities often store data on mobile devices relating to criticalinfrastructure and of importance to national security, securing lost orstolen mobile devices is of key importance to the interests of thecountry and specifically, in preventing terrorist threats that benefitfrom the information stored on mobile devices. Physical threats, such aslost or stolen devices, are intrinsically difficult to deal with becausethe nature of mobile devices. Mobile devices are not continuouslyconnected to a central network, they are constantly in hostileenvironments, and they are predisposed to store important and sensitiveinformation. The inventive system significantly bolsters government andcommercial entities' ability to prevent sensitive data on mobile devicesfrom falling into the hands of unauthorized parties, such as foreignintelligence agents, terrorist collaborators, and the like. When adevice containing sensitive information is lost or stolen, the inventivesystem provides an administrator with an array of options to deal withthe problem. Furthermore, embodiments of the inventive systemautomatically identify a likely lost or stolen device even before a usermay notice it as missing.

One will appreciate that in the description above and throughout,numerous specific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be evident, however, toone of ordinary skill in the art, that the present invention may bepracticed without these specific details. In other instances, well-knownstructures and devices are shown in block diagram form to facilitateexplanation. The description of the preferred embodiments is notintended to limit the scope of the claims appended hereto.

What is claimed is:
 1. A method for remote control of a target mobilecommunications device comprising: at a server, processing authorizationcredentials received from a client computer user to determine whetherthe client computer user is authorized to access the server to issue arequest for an action to be performed by the target mobilecommunications device; at the server, and after processing of theauthorization credentials, receiving a request for an action to beperformed by the target mobile communications device, the request forthe action received at the server from the authorized user accessing theserver from the client computer; transmitting a command from the serverto the target mobile communications device, the command corresponding tothe received request for the action to be performed by the target mobilecommunications device; in response to the transmitted command, receivingat the server, information about the target mobile communicationsdevice; interpreting the received information about the target mobilecommunications device to determine whether the transmitted command wasperformed or not performed by the target mobile communications device;if the interpretation of the received information indicates that thecommand was performed by the target mobile communications device,providing a first notification from the server to the client computerthat the command was performed, the notification formatted to populate aclient computer web page containing a request for action status; and ifthe interpretation of the received information indicates that thecommand was not performed by the target mobile communications device,providing a second notification from the server to the client computerthat the command was not performed, the second notification formatted topopulate a client computer web page containing a request for actionstatus.
 2. The method of claim 1, wherein the request for the actionincludes locking the target mobile communications device.
 3. The methodof claim 1, wherein the request for the action includes emitting a soundfrom the target mobile communications device.
 4. The method of claim 1,wherein the request for the action includes backing up data stored onthe target mobile communications device.
 5. The method of claim 1,wherein the request for the action includes deleting data stored on thetarget mobile communications device.
 6. The method of claim 1, whereinthe request for the action includes two or more tasks selected from thegroup: locking the target mobile communications device, emitting asound, backing up data, deleting data and requesting a location andwherein the request for the action includes an order in which the two ormore tasks are to be performed.
 7. The method of claim 1, wherein therequest for the action includes a request for a location of the targetmobile communications device and the information includeslocation-related information of the target mobile communications device.8. The method of claim 7, wherein the location of the target mobilecommunications device includes GPS coordinates for the target mobilecommunications device and information pertaining to a map related to theGPS coordinates which are transmitted by the server for display on theclient computer.
 9. The method of claim 7, wherein the informationincludes radio identification and signal information which indicate thelocation of the target mobile communications device.
 10. A method forremotely determining a physical location of a target mobilecommunications device comprising: at a server, processing authorizationcredentials received from a client computer user to determine whetherthe client computer user is authorized to access the server to issue arequest for determining the physical location of the target mobilecommunications device; at the server, and after processing of theauthorization credentials, receiving a request to determine the physicallocation of the target mobile communications device from the authorizeduser accessing the server from the client computer; transmitting alocate command from the server to the target mobile communicationsdevice, the locate command corresponding to the request to determine thephysical location received from the authorized user; and if the locatecommand was performed by the target mobile communications device,receiving at the server information concerning the physical location ofthe target mobile communications device; and transmitting from theserver to the client computer location information concerning thephysical location of the target mobile communications device.
 11. Themethod of claim 10 wherein (i) the transmitting a locate commandincludes the transmission of a plurality of locate commands over a timeinterval; (ii) the receiving at the server information includesreceiving a plurality of information concerning the physical location ofthe target mobile communications device; and (iii) the transmitting fromthe server to the client computer location information includes aplurality of location information concerning the physical location ofthe target mobile communication device at the different times that thetarget mobile communications device was accessed during the timeinterval.
 12. The method of claim 10 wherein the method furthercomprises, between the receiving at the server information concerningthe physical location step and the transmitting from the server to theclient computer location information step, the additional step ofcombining the information received at the server concerning the physicallocation of the target mobile communications device with target mobilecommunications device physical location data retrievable from the serverto obtain the location information transmitted from the server to theclient computer in the last step of the method.
 13. A non-transitorycomputer-readable storage medium having stored thereon a plurality ofinstructions which, when executed by a processor, cause the processor toperform the steps of a method comprising: at a server, processingauthorization credentials received from a client computer user todetermine whether the client computer user is authorized to access theserver to issue a request for an action to be performed by the targetmobile communications device; at the server, and after processing of theauthorization credentials, receiving a request for an action to beperformed by the target mobile communications device, the request forthe action received at the server from the authorized user accessing theserver from the client computer; transmitting a command from the serverto the target mobile communications device, the command corresponding tothe received request for the action to be performed by the target mobilecommunications device; in response to the transmitted command, receivingat the server, information about the target mobile communicationsdevice; interpreting the received information about the target mobilecommunications device to determine whether the transmitted command wasperformed or not performed by the target mobile communications device;if the interpretation of the received information indicates that thecommand was performed by the target mobile communications device,providing a first notification from the server to the client computerthat the command was performed, the notification formatted to populate aclient computer web page containing a request for action status; and ifthe interpretation of the received information indicates that thecommand was not performed by the target mobile communications device,providing a second notification from the server to the client computerthat the command was not performed, the second notification formatted topopulate a client computer web page containing a request for actionstatus.
 14. The non-transitory computer readable storage medium of claim13 wherein the request for the action includes locking the target mobilecommunications device.
 15. The non-transitory computer readable storagemedium of claim 13, wherein the request for the action includes emittinga sound from the target mobile communications device.
 16. Thenon-transitory computer readable storage medium of claim 13, wherein therequest for the action includes backing up data stored on the targetmobile communications device.
 17. The non-transitory computer readablestorage medium of claim 13, wherein the request for the action includesdeleting data stored on the target mobile communications device.
 18. Thenon-transitory computer readable storage medium of claim 13, wherein therequest for the action includes two or more tasks selected from thegroup: locking the target mobile communications device, emitting asound, backing up data, deleting data and requesting a location andwherein the request for the action includes an order in which the two ormore tasks are to be performed.
 19. The non-transitory computer readablestorage medium of claim 13, wherein the request for the action includesa request for a location of the target mobile communications device andthe information includes location-related information of the targetmobile communications device.
 20. The non-transitory computer readablestorage medium of claim 19, wherein the location of the target mobilecommunications device includes GPS coordinates for the target mobilecommunications device and information pertaining to a map related to theGPS coordinates which are transmitted by the server for display on theclient computer.
 21. The non-transitory computer readable storage mediumof claim 19, wherein the information includes radio identification andsignal information which indicate the location of the target mobilecommunications device.
 22. The non-transitory computer readable storagemedium of claim 19 wherein the method further comprises, between thereceiving at the server information concerning the physical locationstep and the transmitting from the server to the client computerlocation information step, the additional step of combining theinformation received at the server concerning the physical location ofthe target mobile communications device with target mobilecommunications device physical location data retrievable from the serverto obtain the location information transmitted from the server to theclient computer in the last step of the method.
 23. A non-transitorycomputer-readable storage medium having stored thereon a plurality ofinstructions which, when executed by a processor, cause the processor toperform the steps of a method comprising: at a server, processingauthorization credentials received from a client computer user todetermine whether the client computer user is authorized to access theserver to issue a request for determining the physical location of thetarget mobile communications device; at the server, and after processingof the authorization credentials, receiving a request to determine thephysical location of the target mobile communications device from theauthorized user accessing the server from the client computer;transmitting a locate command from the server to the target mobilecommunications device, the locate command corresponding to the requestto determine the physical location received from the authorized user;and if the locate command was performed by the target mobilecommunications device, receiving at the server information concerningthe physical location of the target mobile communications device; andtransmitting from the server to the client computer location informationconcerning the physical location of the target mobile communicationsdevice.
 24. The non-transitory computer readable storage medium of claim23 wherein (i) the transmitting a locate command includes thetransmission of a plurality of locate commands over a time interval;(ii) the receiving at the server information includes receiving aplurality of information concerning the physical location of the targetmobile communications device; and (iii) the transmitting from the serverto the client computer location information includes a plurality oflocation information concerning the physical location of the targetmobile communication device at the different times that the targetmobile communications device was accessed during the time interval. 25.A method for remotely determining a physical location of a target mobilecommunications device comprising: at a server, processing authorizationcredentials received from a client computer user to determine whetherthe client computer user is authorized to access the server to requestthe determination of the physical location of the target mobilecommunications device; at the server, and after processing of theauthorization credentials, presenting a web page to the client computerto enable the authorized user to enter a request on the web page for theserver to determine the physical location of the target mobilecommunications device; at the server, receiving the request from theauthorized user to determine the physical location of the target mobilecommunications device; at the server, transmitting an indication messageto the target mobile communication instructing the target mobilecommunications device to connect to the server; after the target mobilecommunications device connects to the server, at the server,transmitting a command to determine the physical location of the targetmobile communications device; at the server, receiving information fromthe target mobile communications device concerning the physical locationof the target mobile communications device; at the server, reporting thephysical location of the target mobile communications device bygenerating a second web page that contains the physical location, thesecond web page being accessible only to the client computer authorizeduser that requested the determination of the physical location.
 26. Themethod of claim 25 wherein the method further comprises, between thereceiving at the server information concerning the physical locationstep and the reporting step, the additional step of combining theinformation received at the server concerning the physical location ofthe target mobile communications device with target mobilecommunications device physical location data retrievable from the serverto obtain the physical location for reporting in the last step of themethod.
 27. A non-transitory computer-readable storage medium havingstored thereon a plurality of instructions which, when executed by aprocessor, cause the processor to perform the steps of a methodcomprising: at a server, processing authorization credentials receivedfrom a client computer user to determine whether the client computeruser is authorized to access the server to request the determination ofthe physical location of the target mobile communications device; at theserver, and after processing of the authorization credentials,presenting a web page to the client computer to enable the authorizeduser to enter a request on the web page for the server to determine thephysical location of the target mobile communications device; at theserver, receiving the request from the authorized user to determine thephysical location of the target mobile communications device; at theserver, transmitting an indication message to the target mobilecommunication instructing the target mobile communications device toconnect to the server; after the target mobile communications deviceconnects to the server, at the server, transmitting a command todetermine the physical location of the target mobile communicationsdevice; at the server, receiving information from the target mobilecommunications device concerning the physical location of the targetmobile communications device; at the server, reporting the physicallocation of the target mobile communications device by generating asecond web page that contains the physical location, the second web pagebeing accessible only to the client computer authorized user thatrequested the determination of the physical location.
 28. Thenon-transitory computer readable storage medium of claim 27 wherein themethod further comprises, between the receiving at the serverinformation concerning the physical location step and the reportingstep, the additional step of combining the information received at theserver concerning the physical location of the target mobilecommunications device with target mobile communications device physicallocation data retrievable from the server to obtain the physicallocation for reporting in the last step of the method.